Search code examples
c#active-directorydirectoryserviceschange-passwordaccount-management

C# Active Directory Invoke "ChangePassword" cannot contact domain

I have the following code as part of a web application for my Active Directory users to be able to update their passwords (for active directory and gmail at the same time). I am using C# with System.DirectoryServices.AccountManagement.

This code worked until yesterday

try
{
    State.log.WriteLine("Connecting LDAP.");
    string ldapPath = "LDAP://192.168.76.3";
    DirectoryEntry directionEntry = new DirectoryEntry(ldapPath, domainName + "\\" + userName, currentPassword);
    if (directionEntry != null)
    {
        DirectorySearcher search = new DirectorySearcher(directionEntry);
        State.log.WriteLine("LDAP Connected, searching directory for SAMAccountName");
        search.Filter = "(SAMAccountName=" + userName + ")";
        SearchResult result = search.FindOne();
        if (result != null)
        {
            State.log.WriteLine("Getting User Entry.");
            DirectoryEntry userEntry = result.GetDirectoryEntry();
            if (userEntry != null)
            {
                State.log.WriteLine("Setting Password");
                if (force)
                {
                    userEntry.Invoke("SetPassword", new[] { newPassword });
                }
                else
                {
                    userEntry.Invoke("ChangePassword", new object[] { currentPassword, newPassword });
                }
                userEntry.CommitChanges();
                State.log.WriteLine("Changes Committed to ActiveDirectory.");
            }
            else
            {
                State.log.WriteLine("Could not get user Entry...");
            }
        }
        else
        {
            State.log.WriteLine("Search returned no results.");
        }
    }
    else
    {
        State.log.WriteLine("Could not connect to LDAP with given username and passwd");
    }
}

Since yesterday, this code makes it to the line:

userEntry.Invoke("ChangePassword", new object[] { currentPassword, newPassword });

and then throws the following exception:

[8:37:00 AM] : Password Requirements Met.

[8:37:00 AM] : Connecting LDAP.

[8:37:00 AM] : LDAP Connected, searching directory for SAMAccountName

[8:37:01 AM] : Getting User Entry.

[8:37:01 AM] : Setting Password

[8:37:01 AM] : Failed to reset Windows Password for jason.

Exception has been thrown by the target of an invocation.

The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1)

The "force" option using "SetPassword" still works just fine, but the "ChangePassword" method which can be invoked by non-administrator users does not.

Solution

  • Earlier this month Microsoft released a security patch, resolving some vulnerabilities in the area of password change. Specifically, the update blocked fallback to NTLM authentication after a failed Kerberos authentication when changing a password.

    You might want to read more about the update here.